Closed
Bug 665418
Opened 13 years ago
Closed 13 years ago
Firebug 0-day posted to Full-Disclosure
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dveditz, Unassigned)
References
()
Details
Attachments
(2 files)
Firebug 0-day was posted to the full-disclosure mailing list today http://seclists.org/fulldisclosure/2011/Jun/394 Completely unclear what version of Firefox and Firebug are involved, still testing various combinations. - - - - - - - - - - 80vul.com discovered firebug that a famous firefox extension is vulnerable to Cross Context Scripting, and this vul can execute evil codz in the chrome privileged Firefox zone.so successful exploitation allows execution of arbitrary code in user’s system. *Exploitation* a demo : http://www.80vul.com/firefox/firebug0day.htm Open the firebug, and visite the exploit's URL, then open "NET" -->URL-->"HTML" , and gcalctool is executed.
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Comment 2•13 years ago
|
||
|
|
Reporter | |
Comment 3•13 years ago
|
||
I could not reproduce using any of the following combinations (on Windows) Firebug Firefox 1.6.2 3.6.18 1.7.2 3.6.18 1.7.2 4.0.1 1.7.2 nightly (few days old)
|
||
Comment 4•13 years ago
|
||
will see if i can reproduce this
|
|
||
Comment 5•13 years ago
|
||
also not able to reproduce up to Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko Firefox/5.0 build id: BuildID=20110615151330
and firebug 1.7.2 - only error i got in the error console is:
Error: Permission denied for <https://bug665418.bugzilla.mozilla.org> to get property XPCComponents.classes
Source File: https://bug665418.bugzilla.mozilla.org/attachment.cgi?id=540402
Line: 1
|
||
Comment 6•13 years ago
|
||
Managed to reproduce, http://evil.hackademix.net/firebug.html
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 8•13 years ago
|
||
Reopening... bug 665369 seems to be about the fix that worked in Firebug 1.8 not working in Firebug 1.7, not the exploit itself. Maybe this "depends on" that one, or maybe they fix the exploit some other way (e.g. removing the NET tab entirely, for one unlikely approach).
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 9•13 years ago
|
||
I can reproduce this on 4.0.1 (Mac) and 5.0 Beta (Mac) with Firebug 1.7.2. Is the Firebug team aware of this?
|
|
||
Comment 10•13 years ago
|
||
BTW, there's a typo in the dependency bug number. I don't have access so I can't correct it.
|
|
||
Comment 11•13 years ago
|
||
Version 1.7.3 has been approved and pushed to the public. It should appear on the site within the hour and be pushed to most users within a few days. This version basically disabled the HTML section of the Net tab.
|
|
Reporter | |
Comment 12•13 years ago
|
||
I see 1.7.3 on the site, calling this fixed.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
|
||
Comment 13•13 years ago
|
||
More info: http://code.google.com/p/fbug/issues/detail?id=4553 A clearer test case: https://fbug.googlecode.com/svn/tests/content/branches/1.8/net/4553 Note that evidence of a successful exploit here is Firefox > Tools > Error Console message about file name problems when you click on the HTML tab in the url of the net panel. If you just load the page you will get a permission denied message from the copy of the HTML running in the Firefox tab. Only after you drill down in Firebug will you get the exploit message. Firebug 1.7.3 had to disable the HTML tab because 1.7 supports FF3.6. Firebug 1.8 (supporting FF4.0 and 5.*) restores the HTML tab because FF4.0+ does not suffer bug 665369. I don't believe any further action is needed on this bug.
You need to log in
before you can comment on or make changes to this bug.
Description
•